Before the Data Protection Commission 





BETWEEN:- 





Dr Johnny Ryan 
Complainant 


1. Google Ireland Limited 
2. Google LLC 
Respondents 


GROUNDS OF COMPLAINT TO 
THE DATA PROTECTION COMMISSION 


A. Introduction & Purpose of this Submission 





1. We are instructed by Dr Johnny Ryan.! Dr Ryan is Chief Policy & Industry Relations Officer of 
Brave Software, a company that offers a private web browser called Brave. He is the author of two 
books on matters relating to the Internet, and its regulation. Dr Ryan's previous roles include 
being a senior executive at PageFair, an advertising technology company, the Chief Innovation 
Officer of The Irish Times, and a Senior Researcher at the Institute of International & European 


Affairs. 


2. Weare instructed by Dr Ryan to lodge a complaint with the Data Protection Commission (DPC), 
pursuant to Article 77 General Data Protection Regulation (GDPR) / section 108 Data 
Protection Act (DPA). Dr Ryan considers that the processing of personal data relating to him by 
Google Ireland Limited and/or Google LLC (herein collectively referred to as “Google”) 
infringes the purpose limitation principle contained within Article 5(1)(b) GDPR. 


4 Dr Ryan is an Irish citizen and resident in Ireland. 
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3. In particular, Google rely on? (i) their Privacy Policy; (ii) their Google Account dashboard; and 


(i) “additional settings available via the user interface of the specific products”, summarised in 


the Google Product Privacy Guide. Dr Ryan’s understanding is that these sources are said by 


Google to: 


u. 


w. 


set out the “specified, explicit and legitimate purposes” for which his data is collected 


and processed, as required under Article 5(1)(b). 


provide him with “the purposes of the processing for which the personal data are 
intended as well as the legal basis for processing”, in a transparent form, as required by 


Article 12(1), Article 13(1)(c) and Article 14(1)(c). 


inform him of “the purposes of the processing”, in a transparent form, as required by 


Article 12(1) and Article 15(L)(a). 


4. ‘Those sources fail to satisfy each of the requirements set out above. They fail to provide any 


sufficient limitation on purpose, such that a data subject (such as Dr Ryan) has no clear idea of 


the specific purposes for which his data has been, and is being, collected and processed. Indeed, 


as developed below, the sources relied on by Google bear a striking resemblance to the examples 


of unlawful practice identified by the Article 29 Working Party in its opinion on purpose 


limitation and in the guidelines on transparency.* 


5. As a corollary of the above, there will be infringements of other obligations in the GDPR. In 


particular, but non-exhaustively: 


u. 


There will have been inadequate identification of the “specific purposes” for which 
consent is given under Article 6(1)(a) and Article 7, where that is the relevant lawful 


basis for processing pursuant to Article 5(1)(a). 


There will have been inadequate identification of the “purposes of the legitimate 
interests pursued by the controller” under Article 6(1)(f), where that is the relevant 


lawful basis for processing pursuant to Article 5(1)(a). 


2 See the email response from data-protection-oflice@google.com, 20 Jan 2020, 21:19 [B012 — B013]. NB — in Google’s email of 
11 Feb 2020, 22:54 [B031], they state “All of the processing purposes are detailed in the Google Privacy Policy”, which appears to be a 


narrower approach. 





3 Opinion 03/2013 on purpose limitation (2 April 2013) 00569/13/EN WP 203. See also Doolin -v- The Data Protection Commissioner 


[2020] IEHC 90 


' Guidelines on transparency under Regulation 2016/679 (11 April 2018) WP260 rev.01. 
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a. There will have been inadequate identification of the purposes to allow data 
minimisation, accuracy and storage limitation to be assessed, as per Article 5(1)(c), (d) 


and (e). 


w. There will not have been explicit consent by the data subject to the processing of special 


category data “for one or more specified purposes” pursuant to Article 9. 
gory P purp P 


6. As to the action which Dr Ryan asks the DPC to take, he asks that — as well as investigating and 
taking action in respect of the infringements identified above — the DPC require Google to 
provide him with a complete and sufficiently specific list of the purposes for which Google 
processes his personal data, and the relevant legal bases for each purpose. ‘This information is his 
entitlement under the GDPR. It is also the first step in an assessment of the legitimacy of those 
purposes and the foreseeability of the processing involved (with implications for Google’s 
compliance with various provisions of the GDPR, including those identified above). Indeed, one 
of the functions of the Article 15(1)(a) right (and the Article 13(1)(c) and 14(1)(c) obligation) is to 


allow for exactly this sort of assessment. 


T: Accordingly, there are two elements to Dr Ryan’s complaint. One element relates to the 
inadequate current identification of purposes by Google. The other relates to the lawfulness of 
Google’s purposes once they have been correctly identified. Both are of importance to Dr Ryan, 
and the DPC is asked to exercise its powers in respect of both. This may ultimately include the 
DPC prohibiting Google from continuing to infringe Dr Ryan’s rights and requiring Google to 
take whatever steps are necessary to comply with those rights. In turn, the DPC can prohibit 
further unlawful activity and prevent what is an “internal data-free-for-all”5 that results from 


Google’s processing activities. 
B. Background 
i. Introduction 
8. Our client has entered into correspondence with Google in an effort to elicit an explanation as to 
their collection and processing activities. Regrettably, Google has failed to engage with that 


correspondence. Rather, Google has repeatedly and consistently refused to provide a substantive 


answer to our client. 


5 See [D001] 
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10. 


11. 


12. 


13. 


14. 


client. 


We have set out the chronology of correspondence to date below. That correspondence chain is 


exhibited at part B of the enclosed bundle. Page references to that bundle are contained within 


square brackets (e.g. [B001]. 


. Correspondence 





Our client initially completed Google’s online “download my data” tool on 7 October 2019, 
which is said by Google to provide a full and complete response to a subject access request (SAR) 
under Article 15. Note that a copy of that request will be with Google only, as a copy is not 


provided to data subjects. The responsive data was sent on the same day. 


Following that SAR, Dr Ryan wrote to Google on 15 October 2019 via their online contact 
formë to address the shortcomings in the SAR response he received. Dr Ryan requested “the 
purposes for which information are processed, and the legal basis for each purpose”, information 
to which he is entitled under Article 13(1)(c) and Article 15(1)(a). In that contact form, Dr Ryan 


noted at the time that he had already used the “download my data” tool. 


On 14 November 2019, the “data protection office” of Google wrote to our client providing 
generic information about how to use the “download my data” tool and how to use his Google 
account [B001]. That response did not engage with the fact that our client had already used the 
tool, which had not addressed his concerns. In particular, no information about purposes or 
lawful bases was provided to our client. On 16 December 2019, our client filled in Google’s “Data 
Access Request Form”, requesting the purposes of processing his data and the lawful basis for 


each purpose. 


On 27 December 2019, our client wrote to Google about the continuing failure to provide him 
with the information to which he was entitled. That letter was from our client’s current solicitor 
at his previous firm [B003]7. In that letter, our client outlined the information to which he is 
entitled, and which remained missing from Google’s responses. Our client sought Google’s 


substantive reply by 10 January 2020. 


On 10 January 2020, following a chasing email from Dr Ryan’s lawyers, Google replied stating 


that they required more time to provide a substantive response, stating “In the event we are not 


A copy of which is appended to Google’s email of 14 November 2019 at [B001]. NB, that form was not easy to locate for our 


Dr Ryan is represented by Mr Ravi Naik. Mr Naik was previously at ITN Solicitors 
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15. 


16. 


17, 


18. 


19. 


in a position to respond by the 16 January 2020 we will notify you in advance of that date” 
[B010]. Google did not reply by 16 January 2020. 


On 17 January 2020, our client wrote to Google? () to request clarification of when Google would 


provide the information to our client [B011]. 


On 20 January 2020, Google replied by email to our client’s letter of 27 December 2019 [B012 
— B013]. In that response, Google did not provide any further information to our client as 
requested. Rather, Google referred our client to a series of links on their website, including 
reference to their privacy policies. Google further suggested that our client complete the 


“download your data” tool again. 


On 28 January 2020, our client served a pre-action letter to Google outlining the continued 
failure to provide information to which he was entitled [B015]. That letter set out the history of 
the matter, the requests our client had made and the continued and various breaches of the 


GDPR by Google. A response was sought within 14 days, to 11 February 2020. 


On 11 February 2020, Google served a response to our client’s solicitors stating [B027]: 


As a preliminary point please note that we do not agree with your assertions regarding the alleged inadequacy 


of the Google privacy policy and Google privacy practices generally, and reserve our position accordingly. 


In your correspondence of 28 January 2020, you requested on behalf of your chent, information regarding 
the purposes for which Google processes your chent’s data, the legal basis for such processing as well as a 
subject access request response. These requests for information were made with reference to previous requests 
Jor information made through a Google account. We note your request to be provided with that information 
directly. However, please note that we are unable to verify the identity of a data subject in relation to a 
Google account outside of the relevant account (Articles 11(2) and 12(2) GDPR). Accordingly, we have 
provided additional information in response to the previous requests you referred to directly to the owner of 


that account by sending an email to that account. 


On the same date, Google also emailed our client directly stating (inter alia) [B030]: 


From this firm, Dr Ryan’s new legal representatives. As above, Dr Ryan was and remains represented by Mr Naik 
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21. 


We note your comment that you previously used the download your data tool to download copies of data for 
certain services. Mr. Naik has requested that we provide related information in addition to the data recewed 


through that tool. 


Legal Bases 


Regarding the request for the legal bases associated with the processing purposes in the context of those Google 
services, you can find information on the legal grounds relied upon to legitimize processing in the section 
“European requirements” of the Google Privacy Policy. This information is provided in line with Art. 13 
and 14 GDPR. Please note Article 15(1) of the GDPR does not require a controller to detail those legal 





bases. 


Processing Purposes 


The purposes for which data may be processed in the context of those Google services include the purposes 





detailed in the Appendix. All of the processing purposes are detailed in the Google Privacy Policy. 


Relying on the Google Privacy Policy to detail the processing purposes in response to an Article 15 request 
as the most appropriate way to provide such details in line with the requirements of Art 12(1) GDPR, 
particularly the requirements to provide such information in a concise and easily accessible form, given that 
a Google account can be used by any user to use any combination of all of the varied services available 
through that account, all of which are interactive and are used differently and with different settings and 
through different surfaces by each user from time to time over the lifespan of an account. 


99, 66 


The email then set out a list of seven purposes under the heading “Appendix”: “provide our 


33, CC 33, 66. 


services”; “maintain and improve our services”; “develop new services”; “provide personalized 
29, 66 99, 66 


services, including content and ads”; “measure performance”; “communicate with you”; and 


“protect Google, our users, and the public”. 


On 13 February 2020, our client responded to Google [B034]. That response set out the 
inaccuracies and deficiencies in the responses from Google of 11 February 2020. Our client set 
out why the Privacy Policies were not sufficient to comply with various aspects of the GDPR. The 
response further highlighted the inadequacies of the responses received to date and repeated the 
requests for full substantive responses for Google to be able to demonstrate compliance with the 
GDPR. Our client made clear that he intended to address this matter to the DPC and therefore 


requested Google to set out their position to either satisfy our client or allow him to make 
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22, 


23. 


24. 


informed submissions to the DPC. In those circumstances, it was not appropriate for Google to 


continue to “reserve their position”. A response was sought by 18 February 2020. 


No response was received by 18 February 2020. A chasing email was sent on 19 February 2020. 
On 21 February 2020, Google sent an email stating [B038]: 


Dear Sirs 


We refer to your correspondence of 13 and 19 February 2020. 


We do not agree with your assertions regarding the alleged inadequacy of the Google privacy policy and 


Google privacy practices generally, and reserve our position accordingly. 

Yours faithfully 

Google 
Thus, Google did not engage with our client’s substantive concerns or requests at all. A further 
response was sent to Google on 24 February 2020 [B039], confirming that our client did not 
consider these answers as adequate or appropriate. That email made clear that our client would 


seek redress elsewhere, including from the DPC. 


Grounds of complaint 





I. Google’s current identification of their “purposes” is unlawful 


Relevant legal principles 


The obligations on Google to identify their “purposes” are found, in particular, in the following 


provisions of the GDPR: 


7 The second data protection principle, as contained in Article 5(1)(b), which requires 
personal data to be “collected for specified, explicit and legitimate purposes and not further processed 
in a manner that is incompatible with those purposes... (purpose limitation’) ”; 

a. The provision of information including “the purposes of the processing for which the personal 
data are intended as well as the legal bases for processing”, as per Articles 12(1), 13(1)(c) and 
14(1)(c); and 
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25. 


26. 


27. 


28. 


29. 


9 


m. ‘The right to be told “the purposes of the processing’ under Articles 12(1) and 15(1)(a). 


Under each of those provisions of the GDPR, Google is required transparently and explicitly 


specify the purposes for which the data is collected and processed.” Google have failed to do so. 


Purpose limitation is a fundamental requirement for lawfulness of processing from a human rights 
perspective. Article 8(2) of the Charter of Fundamental Rights provides that “data must be 


processed fairly for specified purposes.” 





Specification is tied to foreseeability. In Case C-275/06 Productores de Musica de España (Promusicae) 
v Telefonica de España SAU, Advocate General Kokott explained, in respect of a data transfer which 
interfered with Article 8 ECHR rights, that: 


AG53. Such an interference violates Art. 8 of the ECHR unless it is “in accordance with the law”. It 
must therefore, in accordance with the requirement of foreseeability, be formulated with sufficient precision 
to enable the citizen to adjust his conduct accordingly. The requirement of foreseeability has 
found particular expression in data protection law in the criterion—expressly 
mentioned in Art.8(2) of the Charter—of purpose limitation. Pursuant to the specific 
embodiment of the purpose limitation criterion in Art.6(1)(b) of Directive 95/46, personal data may be 
collected only for specified, explicit and legitimate purposes and not further processed in a way incompatible 
with those purposes. (Emphasis added) 


Foreseeability is, of course, a well-established principle. For instance, in Sunday Times v United 
Kingdom (1979-80) 2 EHRR 245, the European Court of Human Rights stated that foreseeability 
requires an individual to “be able - if need be with appropriate advice - to foresee, to a degree that is reasonable 
in the circumstances, the consequences which a gwen action may entail.” Thus, a data controller should be 
clear and open about their reasons for obtaining personal data before collection and ensure that 
what they do with the data is in line with the reasonable expectations of the data subject 
concerned. In turn, a data subject will have an expectation of how their data will be used and 
must be able to predict what will occur with their data. Only in this way will legal certainty be 


preserved. 


This goes hand-in-hand with the principle of transparency, as is apparent from Recital 39 GDPR 


which states inter alia: 


Under Article 13(1)(c) and Article 14(1)(c) Google are also required to identity the legal basis for processing. As set out further 


below, Google fail to do so in their privacy policy and associated documents. 
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The principle of transparency requires that any information and communication relating to the processing 
of those personal data be easily accessible and easy to understand, and that clear and plain language be 
used. That principle concerns, in particular, information to the data subjects on the identity of the 


controller and the purposes of the processing and further information to ensure fair and transparent 





processing in respect of the natural persons concerned and thew right to obtain confirmation and 
communication of personal data concerning them which are being processed. Natural persons should be 
made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how 


to exercise their rights in relation to such processing. In particular, the specific purposes for which 








personal data are processed should be explicit and legitimate and determined at the time of the collection 
of the personal data. The personal data should be adequate, relevant and limited to what is necessary 
Jor the purposes for which they are processed. 


30. Further, Dr Ryan draws on the Article 29 Working Party Opinion on purpose limitation.!° Of 


particular relevance are section III.1 and Annex 3 of that Opinion. Dr Ryan emphasises: 


u. 


w. 


In section HI.1.1 “Purposes must be specified”, it is stated that this principle “hes at the core 
of the legal framework established for data processing”. As to the level of detail needed, “a purpose 
that is vague or general, such as for instance “improving users’ experience”, “marketing purposes”, TT- 
security purposes” or “future research” will — without more detail — usually not meet the criteria of 
being “specific”. Cross-reference is made to examples 7 and 8 in Annex 3 of the Opinion. 
The Opinion states that a “layered notice” usually works well, and gives the example 
of additional information being provided on a link. It concludes that “ultimately... each 
separate purpose should be specified in enough detail to be able to assess whether collection of personal 
data for this purpose complies with the law, and to establish what data protection safeguards to apply”. 
In section III.1.2 “Purposes must be explicit”, it is explained that this means that the 
purposes “must be clearly revealed, explained or expressed.” Special care is said to be 
needed in the case of the internet, where there may be a “complex, opaque and 
ambiguous context”. It may also be of assistance to consider the indication from the 
summary in section II.2.1 that “comparing the notion of ‘explicit purpose’ with the notion of 
‘hidden purpose’ may help to understand the scope of this requirement...” 

In section III.1.3 “purposes must be legitimate”, it is provided that this requirement 
goes beyond a simple requirement that there be a lawful basis under Article 6. It 
includes all other provisions of data protection law as well as other applicable laws. For 
example, were Google’s processing to be in breach of competition law, this would 


render the purpose illegitimate. 


10 Opinion 03/2013 on purpose limitation (2 April 2013) 00569/13/EN WP 203. The Guidance is available here: 
https://www.pdpjournals.com/docs/88095.pdf 
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31. 


32. 


33. 


The Article 29 Working Party Guidelines on Transparency!! (Guidelines on Transparency) are 


also of assistance in this context. They set out in detail the requirements under Article 12, which 


of course applies to Articles 13-15, but they are equally informative in respect of the “explicit” 


nature of purpose limitation in Article 5(1)(b). Dr Ryan emphasises in particular: 


22. 


w. 


Ù. 


“A central consideration of the principle of transparency. ..is that the data subject should be able to 
determine in advance what the scope and consequences of the processing entails and that they should not 
be taken by surprise at a later point about the ways in which thei personal data has been used.” (para 
10). 

“The “easily accessible” element means that the data subject should not have to seek out the information’ 


(para 11). 


3 


It gives the following “Poor practice examples” which “are not sufficiently clear as to the purposes 

of processing: 

e “We may use your personal data to develop new services” (as it is unclear what the “services” are 
or how the data will help develop them); 

© “We may use your personal data for research purposes” (as it is unclear what kind of “research” 
this refers to); and 

e “We may use your personal data to offer personalised services” (as it is unclear what the 
“personalisation” entails). ” 

It address the format of information provision, suggesting that information should 

never be more than “two taps away” (para 11 and para 33), and that layered privacy 

statements/notices “are not merely nested pages that require several clicks to get to the relevant 

information” (para 35). “The data controller must take active steps to furnish the information in 


question to the data subject or to actwely direct the data subject to the location of it.” 


Application to the facts 


As detailed above, Google places primary reliance on their Privacy Policy (the Policy), together 


with the Google Account dashboard and some unidentified settings in respect of particular 


products. The Policy is exhibited at [C001]. 


These sources are inadequate and unlawful. 


11 Guidelines on transparency under Regulation 2016/679 (WP260 rev.01) 
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34. 


35. 


36. 


First, the purposes identified in the Policy under the heading “We use the information we collect 
from all our services for the following purposes” (and set out again in the email of 11 February 
2020 from Google) are hopelessly vague and unspecific. They are as follows: (1) Provide our 
services (2) Develop new services (3) Provide personalized services, including content and ads (4) 
Measure performance (5) Communicate with you; and (6) Protect Google, our users, and the 
public. They bear a clear resemblance to the examples of bad practice provided in the Article 29 
Working Party opinion and guidelines. Google is not assisted by the examples given under each 


heading in the opinion and guidelines (at para 31 (ii) above), which are indicative only: 


i For instance, in the “develop new services” section of the Policy, Google state: 


“We use the information we collect in existing services to help us develop new ones. For example, 
understanding how people organized their photos in Picasa, Google’s first photos app, helped us design 
and launch Google Photos.” 


No further information is provided. 


a. To take another instance (of which there are numerous), in the “Provide personalized 
services, including content and ads” section, Google state that they “may also show you 
personalized ads based on your interests.” The term “personalized ads” links to a 
further page, entitled “Why you're seeing an ad”. No further information concerning 


the purposes of processing are provided on that page. 


Secondly, it is not apparent from the Policy which activity, product or interaction is covered by 
which purpose. It is therefore difficult (if not impossible) to decipher if and when a particular 
purpose applies, for example, to data collected or processed in the context of YouTube, 
Authorised Buyers or Maps etc. For a data subject who wishes to make an informed decision 
about a particular interaction with Google, this is hopeless. Indeed, it is impossible to know what 
“Google” means at any given moment of the Policy as it covers so many products and activities. 
Google is an ill-defined catch all for such broad processing activities. Nevertheless, the result is 
data falling into the Google system to be used by a variety of Google businesses and offerings for 


unspecified purposes. 


Thirdly, the Policy itself contains links to external policies and procedures. Google’s 
identification of purposes is disjointed and disparate across several links and websites, which in 
turn means that the average user cannot navigate through them to control their data. It is not 


clear how those various policies interact or operate. This is not an example of a good practice 
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37. 


38. 


39. 


“layered” privacy notice. Rather, there is no possible way a data subject can navigate between all 
the disparate links and sources to understand the totality of what Google do with their data or 
how to exercise data rights. Rather, for a user to even attempt to understand and navigate the 
available policies and procedures to control the use of their data, a data subject would have to 
navigate between numerous, unconnected, websites. Those websites and sources are often not 
linked, in turn making the navigation unworkable. Even after completing these arduous steps, a 


data subject would not have a complete picture of Google’s processing purposes. 


Fourthly, even if the data subject manages to locate the relevant policy for a particular activity, 
there is often insufficient specificity of purpose at that level. By way of example, there has been 
much press coverage of the concerns around what happens with location data.!2 The specific 


policy on location data is available here: https://policies.google.com/technologies/location- 





data. When considered with the Policy and wider terms, it is still not clear what purposes location 
data is collected for, as there is no specificity in this location policy. The totality of the information 


available on the purposes for collecting data within that location policy is as follows: 


From driving directions, to making sure your search results include things near you, to showing you when a 
restaurant is typically busy, location can make your experiences across Google more relevant and helpful. 
Location information also helps with some core product functionality, like providing a website in the right 


language or helping to keep Google’s services secure. 


This is not sufficiently precise for a data subject to understand what will occur with their location 
data nor what data is strictly necessary to provide, for instance, the service of showing a person 
where they are on a map. Despite the possibility of uncovering some basic information when 
signing up (for instance if a person notices and clicks a “More Information” link!3, and then 
further studiously examines Google’s statements), it is still not clear exactly how data collected 
from one Google product such as Maps will then be used by other products, such as advertising. 


In turn, a data subject cannot know the purposes for which Google collect data. 


Fifthly, on sign-up to a Google account, a data subject is not given sufficient information to 
understand what will happen to their data (or even what data will be collected). We enclose an 
overview of the sign-up process, which illustrates the hopelessness for a data subject to understand 


the express purposes of processing their data and the related legal bases [D060]. 


12 See: https://www.nytimes.com/interactive/2018/12/10/business/location-data-privacy-apps.html 





13 See [D060] 
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41. 


42. 


43. 


Sixthly, in an effort to understand the various processing activities undertaken by Google, Dr 
Ryan has analysed a variety of sources and documents to understand the processing purposes 
undertaken by Google. This required navigating between numerous disparate sources to even 
begin to understand what Google are doing. That analysis in enclosed by way of a table, available 
at page [D001] of the bundle. It indicates hundreds of purposes, compared to the six listed on 
the Google Policy. Some of those purposes identified in the analysis are not detailed within the 
Policy, or linked to the Policy. In particular, some of the purposes have been obtained from 
sources extraneous to Google or the Policy such as submissions to the Subcommittee on Antitrust, 
Commercial and Administrative Law of the U.S. House Committee on the Judiciary. Dr Ryan 
had to navigate between numerous sources, which took many weeks work. An average data 
subject could not conduct such an exercise. Despite that undertaking, our client could still not 
understand all the purposes and legal bases, and in part the table is based on inference and simply 
doing the best he could with the information available. This is unacceptable and betrays any 


suggestion that the Policy is adequate. 


Indeed, on the “activity on other sites and apps” section of the Policy, it is stated that Google will 
take data both from within Google and from external sources, from websites and apps that Google 
does not own. Thus, these problems extend to virtually all of a person’s online activity. Dr Ryan 
is therefore understandably concerned that his data enters an internal free-for-all within Google, 
as there is simply inadequate transparency about what happens with data once it enters the wider 


Google system, from within and outside of Google’s services. 


In conclusion, in breach of their obligations under Articles 5(1)(b), 12(1), 13(1)(c), 14(1)(c) and 
15(1)(c), Google have failed to identify the purposes for which they collect and process Dr Ryan’s 


data in a sufficiently specified, explicit and transparent manner. 


Dr Ryan notes in this regard that, as the DPC will be aware, these conclusions accord with the 
Decision of the Restricted Committee of the French Commission Nationale de L’Informatique et de 
Libertés SAN-2019-001 [A017]. In section 4 of that Decision (paragraphs 86-128), the Committee 
found that Google LLC had breached Articles 12 and 13 GDPR. In particular, it held that the 
relevant information was excessively spread out across several documents (paragraph 97) and 


difficult to find (paragraph 101). Further, the information provided was insufficiently clear and 


14 "This activity might come from your use of Google services, like from syncing your account with Chrome or your visits to sites and apps 
that partner with Google. Many websites and apps partner with Google to improve their content and services. For example, a website might 
use our advertising services (like AdSense) or analytics tools (like Google Analytics), or it might embed other content (such as videos from 
YouTube). These services may share information about your activity with Google and, depending on your account settings and the products 
in use (for instance, when a partner uses Google Analytics in conjunction with our advertising services), this data may be associated with your 
personal information." See: https://policies.google.com/privacy#footnote-other-sites and 
https://policies.google.com/technologies/partner-sites. 
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45. 


46. 


47. 


48. 


intelligible, and did not allow users to sufficiently understand the particular consequences of the 


processing for them (paragraphs 110 and 111). These conclusions are entirely correct. 


II. Google’s current failure to identify the legal basis for processing is unlawful 


Under Articles 13(1)(c) and 14(1)(c) (but not under Article 15(1)(a)), Google are also obliged to 
identify the legal basis for processing. As set out in the Transparency Guidelines (p.35), this means 


that “the relevant legal basis relied upon under Article 6 must be specified”. 


Google’s Policy fails to meet these requirements. 


Firstly, Google provide a (flawed) list of legal bases within a section of the policy entitled 
“compliance and cooperation with regulators”, under a sub-heading “European requirements”. 
It is not clear on the face of the Policy or the contents page that the legal bases are contained 


within that section. 


Secondly, the legal bases are generic and not tied to individual processing activities. ‘That section 
of the Policy provides generic information about the lawful bases, rather than providing legal 


bases for each specific purposes of processing. 


Thirdly, the bases are themselves described in indicative terms only. So, for example: 


7 Google state that they rely on consent as a legal basis. The Policy states that they “ask 
for [a data subject’s] agreement to process [their] information for specific purposes” 
but at no stage are those purposes explained. It is said “For example, we ask for your consent 


to provide you with personalized services, such as ads based on your interests. We also ask for your 





consent to collect your voice and audio actwity for speech recognition. You can manage these settings in 
your Google Account.” It is not explained what “personalised services” or “ads based on 
your interests” mean nor is a data subject told what data is processed thereunder. 
Further, the use of the phrase “such as” caveats the sentence so that it is not exhaustive. 
In turn, a data subject cannot foresee what will happen to their data (either the purposes 


or the processing activities). Thus, those processing purposes are not “specific”. 


The Google Account settings also do not provide this information with sufficient 
specificity, as those settings only relate to generic matters such as “Web & App Activity” 
which is then said to cover “activity from sites, apps, and devices that use Google services, 


including”, with some broad examples then provided. A link to a “further information” 
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section is provided. However, that link is again on generic terms. Thus, at no stage is a 
data subject able to give “freely given, specific, informed and unambiguous indication 
of [their] wishes”!5, as they do not know the exact processing purposes they are 


consenting to. 


In sum, a data subject cannot know what they are consenting to in this category or any 


category at all through the activity controls. 


Google state that they rely on “legitimate interests”, but they say “this means we process 
your information “for things like”, with some broad examples then provided. Our client 
cannot — nor could anyone looking at the Policy — fathom the purposes to which 


legitimate interests relate. 


III. Google’s failures to identify the purpose of (and legal basis for) processing will 


give rise to consequential infringements of the GDPR 


As a consequence of Google’s failure to specify the explicit limited purpose for processing Dr 


Ryan’s data in a transparent way (and to identify the legal basis for that processing), there will be 


infringements of various obligations under the GDPR. Four examples are given here (which the 


DPC is asked to investigate and determine), but this is not an exhaustive list. 


il. 


iii. 


Firstly, there will have been inadequate identification of the “specific purposes” for 
which consent is given under Article 6(1)(a) and Article 7, where that is the relevant 


lawful basis for processing pursuant to Article 5(1)(a). 


Secondly, there will have been inadequate identification of the “purposes of the legitimate 
interests pursued by the controller” under Article 6(1)(f), where that is the relevant 


lawful basis for processing pursuant to Article 5(1)(a). 


Thirdly, there will have been inadequate identification of the processing purposes by 
reference to which the data minimisation, accuracy and storage limitation principles 


are to be assessed, as per Article 5(1)(c), (d) and (e). 


Fourthly, there will not have been explicit consent by the data subject to the processing 


of special category data “for one or more specified purposes” pursuant to Article 9. 


15 As required pursuant to Article 4(1 1) 
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51. 


52. 


53. 


54. 


This is particularly concerning when considering the sensitivity of the data involved. As 
the 2013 Opinion states, ‘the more sensitive the information involved, the narrower the 


scope for compatible use would be’. 


Dr Ryan stands ready to assist with more detailed submissions in regard to these additional 


matters, if helpful to the DPC. 


Actions which Dr Ryan asks the DPC to take 





The DPC is invited to exercise all its powers under Part 6 of the DPA2018 with respect to this 


complaint. 


In particular and as a primary matter, however, Dr Ryan asks that Google be compelled to 
provide Dr Ryan with a full and complete list of the purposes for which his data has been collected 
and processed. This is his entitlement under Article 15(1)(a) GDPR. Dr Ryan also asks that he be 
provided with the relevant legal basis for each instance of processing, as should have been 
provided to him under Articles 13(1)(c) and 14(1)(c). The DPC should, if necessary, file an 
enforcement notice to Google to provide our client with a full and complete response to his subject 
access request. That enforcement notice should require provision of all information to which our 
client is entitled under Article 15 GDPR, including specified purposes for collection of his 
personal data. ‘That notice should also require Google to provide our client with the lawful basis 
for each processing activity being undertaken. Such a notice should be served pursuant to section 


109 (5)(d) DPA. 


Further, the DPC should consider an audit of Google’s processing activities to be able to satisfy 
itself of compliance with Article 5(1)(b), so that all processing activities by Google are made clear 
to the DPC and to the public. This audit is necessary to understand if Google’s processing 
purposes are lawful, transparent, fair, retained for only as long as is necessary and satisfy Article 


5(1)(b). 


In any event, once that compliant list of purposes and legal bases has been provided, both the 
DPC and Dr Ryan will be in a position to consider the lawfulness of the data collection and 
processing which Google is in fact undertaking. Indeed, the very purpose of the information and 
transparency requirements of the GDPR is to allow a data subject (and indeed the DPC) to make 
such an assessment. It may well be the case that, following receipt of this information, Dr Ryan 
seeks to make further submissions in respect of Google’s collection and processing of his personal 


data. Ultimately, Dr Ryan will ask the DPC to make such order as is necessary to ensure that 
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Google is collecting and processing his data lawfully, which may include an order Google to cease 


data processing that infringes the GDPR, in particular the purpose limitation principle. 


Next steps 


If we can be of any further assistance, please do not hesitate to contact us. We would be grateful 
if you could keep us updated on the steps taken in response to this submission, in accordance with 


Article 77(2) of the GDPR. 


Victoria Wakefield BL!‘ 





Ravi Naik!” 


16 March 2020 
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